eSN Exclusive: Why the new federal anti-spam law lacks bite

By Corey Murray, Assistant Editor, eSchool News

January 30th, 2004

Nearly two months after Congress passed the Can-Spam Act of 2003, imposing fines and limitations on those who deluge the electronic in-boxes of consumers, including school-age children, with swaths of unsolicited commercial eMail, educational technology leaders say the problem of spam in the nation’s schools continues–and it might even be getting worse.

Though the federal law, which took effect Jan. 1, does not outlaw the transmission of electronic spam mail, it does prohibit spammers from attempting to disguise their identities through dubious return addresses or misleading subject lines and from harvesting valid eMail addresses off legitimate web sites, including online school directories. The law also requires spammers to include an opt-out function in their solicitations, which would enable consumers to decline any future communications from senders on a case-by-case basis.

Supporters of the law had hoped the threat of stringent penalties–from stiff fines to criminal prosecution–would help curb spam, especially solicitations for pornography, sexual enhancement, online gambling, and other potentially offensive products and services. But since the law’s passage, computer users say they’ve been inundated with messages hawking everything from discounted valium to Viagra. The problem has become a source of frustration for school technology leaders in particular, many of whom are charged with the difficult task of keeping spam from reaching students and faculty during the school day.

Scott Kovacik, an information technology liaison for the San Diego City Schools in southern California, says even with the aid of a high-end spam filter–which blocks as many as 20,000 pieces of unsolicited eMail per month–faculty and staff in the nation’s seventh largest school system still receive on average a handful of bogus messages each day.

It doesn’t matter whether you’re a teacher, principal, or administrator, Kovacik said: Spam is a problem. “No doubt about it, it’s a worldwide epidemic,” he said. “And [schools] are just as much a victim as any other business or corporation.”

And as for the new federal law? It hasn’t helped, at least not yet. “We’ve seen no significant change in the amount of spam received [since Jan. 1],” Kovacik said. “In fact, we’ve seen a large and rather annoying amount.”

The same can be said for schools in other states as well. “On a daily basis, it’s just as bad,” said Beth Kuehl, an educational technology specialist for Area Education Agency 267 in Iowa, which oversees more the 72,000 students in 62 public schools and a number of private institutions across the state.

Since the bill became law, Kuehl–who receives as many as 100 spam messages a day–says schools in her region still are filtering out only about 32 percent of unwanted messages on a daily basis.

Detractors contend that’s because the legislation is all bark and no bite. Although the Federal Trade Commission (FTC)–the agency in charge of fining violators–likely will have mild success against the most novice of spammers, the law’s critics say FTC investigators are no match for the nefarious tactics of the world’s savviest commercial spam artists.

In fact, a recent report from one spam filtering vendor estimates that only 10 percent of junk eMails sent today are in compliance with the new federal law. According to Audiotrieve LLC, maker of the InBoxer filtering system, a survey of more than 1,000 messages collected through “honey-pot” eMail accounts–repositories created to bank and analyze spam–revealed that only 102 of the messages actually met all of the law’s requirements. Of the remaining 898 messages, the Boxborough, Mass.-based company said two-thirds had no opt-out feature and none appeared to have physical addresses as required by law.

“Unfortunately, Can-Spam doesn’t can spam,” said Roger Matus, chief executive of Audiotrieve. “Companies that already act at the margins of the law seem to also ignore these new regulations.”

Instead of making life more difficult for spammers, Matus says the law makes life easier, trumping stricter provisions laid out in state laws–such as those blocked recently in California and Virginia–while depriving individuals and corporations their right to sue spammers of their own accord.

The California law, for instance, would have let spam recipients sue advertisers who use misleading subject lines, invalid reply addresses, or disguised paths to send bulk commercial eMails. It also would have allowed civil judgments of up to $1,000 per message or $1 million per incident.

In all, 36 states have passed anti-spam laws–all of which are superceded by the federal legislation.

“The [federal] law actually makes the world a much safer place [for spammers],” Matus said, noting that under the Can-Spam Act only the federal government and state attorneys general can seek legal action against alleged violators. It doesn’t help that a large percentage of spammers conduct their operations overseas, he added–well beyond the long arm of federal law enforcement: “The [FTC] can’t reach them.”

At home, technology is creating problems of its own. Andrew Lochart, director of product marketing for spam filtering service provider Postini Inc., points out existing eMail technology was not built with the nefarious intentions of spammers in mind.

Originally, he said, Simple Mail Transfer Protocol, or SMTP–the language computers use to exchange messages across the internet–was intended to provide a free, uninhibited information exchange between technologists and academics, not a launching pad for mass-marketing campaigns.

In fact, it’s the open nature of SMTP that has left the nation’s eMail servers vulnerable to numerous threats–from debilitating computer viruses such as the Mydoom worm unleashed earlier this week to flash-flood spam assaults, Lochart said.

What’s more, the internet is a very easy place for people to hide. The savviest computer users are able to hop in and out of open relays at will and otherwise disguise their identities by spoofing internet protocol (IP) addresses–a move that makes them virtually untraceable. “You can claim to be anyone you want,” Lochart said. “Before you can prosecute [spammers], first you must be able to find them.”

He expects the FTC eventually will dole out fines to new and unaccomplished spammers, but doubts the agency will have much luck against more serious offenders. “It’s really going to take a massive overhaul of the protocols involved in order to catch the really big guys,” Lochart said. “I doubt they’re losing any sleep at night.”

Still, the FTC says it is making headway. Aside from drawing up new rules and giving periodic updates to members of Congress, the agency currently collects an average of 250,000 spam messages a day through tips from consumers and other means.

FTC staff attorney Katie Harrington-McBride said the messages are part of a massive collection effort on behalf of the agency to track and analyze spam transmissions in hopes of identifying suspect subject lines and other clues that will lead investigators to the origins of these scams.

“It’s really too early yet to tell what the impact of the law will be,” Harrington-McBride said. Though the FTC has yet to announce publicly any legal action taken against alleged scammers under the new law, it does suggest computer users–including educators–can do their part by reporting illegal activity via eMail to the agency’s web site. To participate, consumers must send a copy of the message in question to the FTC’s unsolicited commercial eMail division at uce@ftc.gov.

Victims also can report concerns to the agency’s Consumer Response Center, which will make the complaints accessible to different branches of law enforcement.

With regard to pinpointing the exact source of such spam messages, Harrington-McBride said the FTC is well aware of the problems posed by the anonymous nature of the internet. One tactic law enforcement likely will use is to target businesses that employ spammers to conduct advertising campaigns for their products, the idea being to uncover a “money trail” that will lead them directly to the source.

Under the law, the FTC also will create a federal “do-not-spam” registry similar to the “do-not-call” list officials used earlier this year to stave off unsolicited telephone calls, though Harrington-McBride said details are still pending.

In the meantime, the FTC recommends that eMail users pay close attention to the opt-out provision of the law. If a spammer continues to send messages even after a user has opted out, the sender would be considered in violation of the law and subject to legal action, officials said.

But convincing computer users it’s in their best interest to participate might be easier said than done. Many contend the new opt-out provision goes against everything people have been taught about internet security.

As a general rule of thumb, San Diego’s Kovacik said he instructs educators to resist the temptation to respond to unsolicited eMails. While most legitimate businesses likely will respect the opt-out provision, he said, responding to an illegitimate eMail could put educators and others in a position to receive even more spam. That’s a risk he’s not willing to take. “Until this law gets some legs,” he said, “[our district] will continue to perform the practice of not clicking.”

On Capitol Hill, lawmakers acknowledge that they don’t anticipate stopping the spread of spam mail entirely, but say they are at least interested in giving consumers an opportunity to decide for themselves whether they want to receive the messages.

In an interview with eSchool News, bill sponsor Sen. Conrad Burns, R-Mont., said he would wait to see how federal officials interpret the rules before commenting on the impact of the legislation, but he hopes the law will make it tougher on people “who use the internet to scam.”

The idea, he said, is to create greater public awareness of the problem and give consumers “more control” over what messages they receive.

For schools, the problem is twofold. Administrators and information technology (IT) directors must continue to look for ways not only to protect faculty and staff from unwanted solicitations but also to keep students from receiving the messages.

A recent study from internet security firm Symantec Corp. reports that eight out of 10 children receive lewd, inappropriate, or potentially dangerous spam on a daily basis. The survey underscores the need for parents, educators, and policy makers to find new ways to combat spam.

In San Diego, educators have addressed the problem by refusing to give students school-sponsored eMail accounts. “We’ve floated the idea,” Kovacik said. “But in hindsight, it was a good idea not to move forward considering what we’re seeing now.”

In Iowa, Kuehl recommends that districts “keep a real tight network.” One way of doing that, she said, is to make sure people with school-sponsored eMail accounts do not fill out online forms using their school eMail address. Another option, which she would advise against, is to take eMail addresses off the school web site entirely. That way, she said, spammers have no way of harvesting those addresses and later using them in their commercial transmissions. The problem with this approach is that community members and parents also would have a hard time finding that information. “You can’t compromise community or parents,” she said. “That would be a real downfall.”

To date, the best option for schools remains some type of spam filter. But even the most advanced products–including Postini’s web-based service, which filters more than 2 billion messages a week for more than 5 million users nationwide–are not 100-percent effective.

So how long will it take to do away with spam entirely? Two years, if Microsoft chairman and chief software designer Bill Gates has anything to say about it. In a Jan. 23 speech at the World Economic Forum in Switzerland, Gates said the software giant is working on a solution based on the concept of “proof,” or identifying the sender of the eMail, according to an Associated Press (AP) report.

“One method involves a human challenge, or requiring the sender of an electronic pitch to solve a puzzle that only a flesh-and-blood person can handle. Another is a so-called ‘computational puzzle’ that a computer sending only a few messages could easily handle, but that would be prohibitively expensive for a mass-mailer,” according to the Jan. 25 report.

Under Gates’ plan, consumers also would have the ability to charge spammers money for accepting their messages.

“People would set a level of monetary risk–low or high, depending on their choice–for receiving eMail from strangers. If the eMail turns out to be from a long-lost relative, for example, the recipient would charge nothing. But if it is unwanted spam, the sender would have to fork over the cash,” according to the AP account.

“In the long run, the monetary [method] will be dominant,” Gates reportedly predicted.